[Openswan Users] IPSec, Windows XP/2000 and Dead Peer Detection

Juha Pietikäinen juha.pietikainen at connet.net
Mon Oct 17 11:42:52 CEST 2005


This is just a guess but NAT-T adds some overhead (about 20 bytes) to the 
IP-packets and so it needs extra bytes reserved from the mtu setting.
Those settings that I send work in my case because I don't have any natted 
clients.
Could you try again with setting "mtu 1300" in options.l2tpd?
If it works, you can try to adjust correct values later. I guess that 
optimal value should be somewhere between 1320 and 1340 with these settings.

It is also possible that nat-t is still broken  in os2.4.2dr2 with kernel 
2.4.31.
Maybe Paul knows more about this?

Juha Pietikäinen

>
> Andrej Trobentar wrote:
>> Juha Pietikäinen wrote:
>>
>>>>Hi,
>>>>
>>>>I have os 2.4.2dr2 running with kernel 2.4.31.
>>>>
>>>>I have ended up to use these settings with quick trial and error method:
>>>>
>>>>ipsec.conf:
>>>>override mtu = 1430
>>>>
>>>>options.l2tpd:
>>>>mtu 1360
>>>>mru 500
>>>>
>>>>There was discussed in one earlier message that
>>>>MRU 500 is caused by incompatible PMTU with Windows clients.
>>>>
>>>>I noticed this low mru issue when I upgrated OS from version 2.2.1 to
>>>>version 2.4
>>>>
>>>>With Os 2.2.1 it was possible to use same MTU and MRU value.
>>>>
>>>>I haven't got any natted clients now but this version (2.4.2dr2) seems
>>>>to work with "nat traversal = yes"
>>>>as version 2.4.1 didn't work at all with it. NAT-T worked fine with os
>>>>2.2.1 and Windows XP Pro (SP2) clients.
>>
>>
>> Hello,
>>
>> This works for me too at the moment! My static tunnels and my roadwarior
>>  setup works. I have to test it a little more to be sure, but so far
>> everything is working.
>>
>> Regarding the WindowsXP/2000 disconects I have to wait for the feedback
>> from my co-workers. Maybe this release will resolve this issues...
>
> Hello,
>
> Well, I was happy to soon :( After I changed this things that Juha
> suggested my *NATed* roadwarrior clients can't connect anymore!
> Roadwarriors *without* NAT are working. The IPSEC is established, but
> the verification phase with the l2tpd doesn't begin. Here's the log from
> IPSEC :
>
> Oct 17 08:31:51 rikom pluto[1472]: packet from 82.149.2.245:500:
> ignoring Vendor ID payload [MS NT5 ISAKMPOAKLEY 00000004]
> Oct 17 08:31:51 rikom pluto[1472]: packet from 82.149.2.245:500:
> ignoring Vendor ID payload [FRAGMENTATION]
> Oct 17 08:31:51 rikom pluto[1472]: packet from 82.149.2.245:500:
> received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] method set
> to=106
> Oct 17 08:31:51 rikom pluto[1472]: packet from 82.149.2.245:500:
> ignoring Vendor ID payload [Vid-Initial-Contact]
> Oct 17 08:31:51 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
> #181: responding to Main Mode from unknown peer 82.149.2.245
> Oct 17 08:31:51 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
> #181: transition from state STATE_MAIN_R0 to state STATE_MAIN_R1
> Oct 17 08:31:51 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
> #181: STATE_MAIN_R1: sent MR1, expecting MI2
> Oct 17 08:31:51 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
> #181: NAT-Traversal: Result using draft-ietf-ipsec-nat-t-ike-02/03: peer
> is NATed
> Oct 17 08:31:51 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
> #181: transition from state STATE_MAIN_R1 to state STATE_MAIN_R2
> Oct 17 08:31:51 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
> #181: STATE_MAIN_R2: sent MR2, expecting MI3
> Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
> #181: Main mode peer ID is ID_DER_ASN1_DN: 'C=SI, ST=Slovenija,
> L=Maribor, O=Rikom d.o.o., OU=VPN Tine Zorko, CN=VPN Tine Zorko,
> E=tine.zorko at rikom.si'
> Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[17] 82.149.2.245
> #181: crl update for "C=SI, ST=Slovenija, L=Maribor, O=Rikom d.o.o.,
> CN=Rikom Root Certificate, E=admin at rikom.si" is overdue since Jul 20
> 09:29:14 UTC 2005
> Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
> #181: deleting connection "roadwarior-l2tpd" instance with peer
> 82.149.2.245 {isakmp=#0/ipsec=#0}
> Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
> #181: I am sending my cert
> Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
> #181: transition from state STATE_MAIN_R2 to state STATE_MAIN_R3
> Oct 17 08:31:52 rikom pluto[1472]: | NAT-T: new mapping
> 82.149.2.245:500/4500)
> Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
> #181: STATE_MAIN_R3: sent MR3, ISAKMP SA established
> {auth=OAKLEY_RSA_SIG cipher=oakley_3des_cbc_192 prf=oakley_sha
> group=modp2048}
> Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
> #182: responding to Quick Mode {msgid:4d9e2083}
> Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
> #182: transition from state STATE_QUICK_R0 to state STATE_QUICK_R1
> Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
> #182: STATE_QUICK_R1: sent QR1, inbound IPsec SA installed, expecting QI2
> Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
> #182: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
> Oct 17 08:31:52 rikom pluto[1472]: "roadwarior-l2tpd"[18] 82.149.2.245
> #182: STATE_QUICK_R2: IPsec SA established {ESP=>0x81453f42 <0x8e93d891
> xfrm=3DES_0-HMAC_MD5 NATD=82.149.2.245:4500 DPD=none}
>
>
> I have NO log messages from l2tpd (yes, my l2tpd is runing). Any ideas?
>
> - --
> Thanks,
>
> Andrej.
>



More information about the Users mailing list